A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.